The protection of your privacy, including your personal data, is of great importance to the European External Action Service (EEAS), as a European public administration.

Privacy and data protection have become increasingly crucial in our everyday life, both in private and at work. The rights to privacy and data protection have long been recognised as fundamental rights, set out in article 7 and 8 of theEU Charter of Fundamental Rights. There is a specific legislative act renewed for the institutions, bodies, offices and agencies of the European Union (Regulation (EU) 2018/1725) that applies also to the EEAS when processing personal data. The revised legal framework intends to guarantee a high level of data protection when it comes to collecting and storing personal data for the benefit of Union citizens, EU institution staff and of our partners in the world. It entered into force the same year and is harmonised with the principles of the General Data Protection Regulation (the GDPR) which is applicable for Member States' authorities, the private sector and civil society organisations.

To meet its obligations to EU citizens and to any individual, the EEAS frequently needs to collect, process and keep personal data, such as names, functions, office addresses, phone numbers, photos or other data, including specific information about people in the context of an EEAS activity, including security, defence and crisis response, public diplomacy, development cooperation as well as HR management, IT applications, conference, meeting and event organisation, budget or other administrative procedures and procurements.

What is personal data?

Personal data is information relating to you or any identified or identifiable natural person stored or displayed in a way that would directly or indirectly identify an individual. Examples include the name, photo, birth date, ID number, even the phone number or e-mail address, but also characteristics if linked to the person and data about behaviour, travel or shopping habits, profiles also on social media platforms.

collected for specified, explicit and legitimate purposes and not further processed for any incompatible purpose

adequate, relevant and limited to what is necessary

accurate and kept up to date enabling inaccurate or incomplete data to be corrected or erased

kept for no longer than necessary

processed securely including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

not transferred to third parties without adequate safeguards

processed in a way that you can exercise your rights as a data subject

Each directorate, division and service within the EEAS and all EU Delegations are required to collect, handle and keep data identifying individuals according to the rights and obligations laid down in the data protection legal framework. The EEAS Data Protection Office is consulted when activities involve such collection, transfer or storage of data. All information of a personal nature provided to the EEAS - namely data which can identify a person directly or indirectly - will be handled with the necessary care.

The GDPR harmonises data protection requirements across all EU Member States, enforcing rights for data subjects, which apply extraterritorially to any organisation controlling and processing data of natural persons in the European Union.

The EEAS intends to inform people whose personal data is processed, that means individuals whose data has been collected, handled and eventually kept for a period of time. By means of Privacy Statements or Data Protection Notices, the EEAS provides information on the processing and on how to exercise individual rights.

You have the right, free of charge:

to be informed of any processing of your personal data:

who is in charge of the data processing

what the purpose and the legal bases are

what type of data are being processed

who has access to the collected data

how long it is kept

what logic is used in any automated decision-making process concerning your data

to access your data;

to correct (rectify) them when inaccurate or incomplete;

to have your data erased in certain circumstances (such as when the processing is unlawful or the data is inaccurate), their processing restricted (for example while they are rectified or when a dispute about the lawfulness is to be decided) and to object to the processing of your personal data based on your specific circumstances.

To exercise your rights, you can contact the data controller in charge of the processing of personal data. The functional mailbox of the data controller entity appears on the privacy statement or data protection notice for each data processing activity.

You may lodge a complaint at any time with the European Data Protection Supervisor (EDPS) who acts as an independent supervisory authority for EU institutions and bodies, offices and agencies devoted to protecting personal data and privacy and promoting good practice on the basis of EU Decision 1247/2002/EC on the regulations and general conditions governing the performance of the European Data Protection Supervisor's duties.

European Data Protection Supervisor (EDPS)

As data protection is a fundamental right in the European Union, it also includes the right to supervision by an independent authority.

The EDPS is responsible for ensuring the protection of personal data by the EU institutions, bodies, offices and agencies.

The Register is based on the records submitted by data controllers along with the relevant Privacy Statements and is therefore available only in the language of the record, generally in English. Processing activities that have been prior-checked by the European Data Protection Supervisor under Article 27 of the former data protection Regulation (EC) 45/2001 are available on the webpage about prior-checking opinions of the EDPS.

To be able to comply with the provisions of the revised data protection regulation, the EEAS register goes through a migration process. If you look for a specific processing activity, you may also contact the EEAS Data Protection Officer.

supporting and consulting data controllers to demonstrate compliance, record their processes and to prepare privacy statements

monitoring compliance with Regulation (EU) 2018/1725 and ensuring that the principles of data protection are applied correctly in the EEAS

raising awareness through events and trainings on data protection for staff and citizens

providing advice (guidance and recommendations on individual rights and data controller obligations), in particular about

privacy risk assessment

reporting of personal data breaches

transfers of personal data

maintaining the central register of personal data processing activities based on the records prepared by the data controllers

investigating matters and incidents on request or on own initiative

being an interface between the EEAS and the European Data Protection Supervisor

Mission Statement of the DPO:

The Data Protection Officer ensures the application of the principles of data protection in an independent manner for activities that involve personal data processing by the European External Action Service and the Union Delegations. The EEAS is a European public service that is committed to applying diligent data protection rules in the activities at all levels, both in Headquarters and in the Delegations.

The DPO provides guidance for data controllers to respect data protection obligations and to inform individuals about their rights with respect to the Regulation (EU) 2018/1725 and how the EEAS is processing their personal data.

The EEAS DPO is in charge of supporting and advising all services in Headquarters as well as EU Delegations - the data controllers processing personal data - to comply with the data protection provisions in accordance with Regulation (EU) 2018/1725. When helping to implement the data protection requirements laid down in the pertinent legislation, the DPO takes into account the specific needs of EEAS services, and of EU Delegations.

The objective of the DPO, when providing guidance to data controllers, is to facilitate the free movement of information while ensuring the protection of personal data within the EEAS and the legitimate expectation of data subjects that their right to privacy be respected.

The EEAS appoints Data Protection Coordinators and Correspondents (DPC) in the various directorates and divisions of the EEAS Headquarters and in the Union Delegations.